P PasteCode
en
English en 中文 zh Deutsch de Français fr Español es Português pt
Prompt

Prompt to Create a GitHub Actions Deploy Workflow

AI agent prompt to generate a production GitHub Actions CI/CD workflow for a Next.js app with type-check, test, build, and deploy steps.

CursorClaude CodeCodexWindsurf Next.jsTypeScriptCloudflare
.md .json Difficulty: Medium Updated Jun 8, 2026

Give this prompt to your agent to generate a battle-tested GitHub Actions workflow file that runs type-checking, tests, and a production build before deploying — without committing secrets or using deprecated action versions.

Main Prompt

Main Prompt
You are working in a Next.js 15 project that uses TypeScript and Bun as the package manager.
Deployments go to Cloudflare Pages.


Task: create a GitHub Actions CI/CD workflow at `.github/workflows/deploy.yml`.


Requirements:
- Trigger on: `push` to `main` and `pull_request` targeting `main`.
- On pull_request: run only the `ci` job (lint, typecheck, build).
- On push to main: run `ci` then `deploy` (deploy only if ci passes).
- `ci` job:
  - Runner: `ubuntu-latest`.
  - Steps: checkout, setup Bun (`oven-sh/setup-bun@v2`), `bun install --frozen-lockfile`,
    `bun run typecheck`, `bun run build`.
  - Cache: use `actions/cache@v4` to cache `node_modules` keyed on `bun.lock` hash.
- `deploy` job:
  - needs: [ci]
  - if: `github.event_name == 'push'`
  - Deploy to Cloudflare Pages using `cloudflare/wrangler-action@v3`.
  - Secrets used: `CLOUDFLARE_API_TOKEN` and `CLOUDFLARE_ACCOUNT_ID` (from GitHub secrets — do NOT
    hard-code values).
  - Set `command: pages deploy .next --project-name=my-app --branch=main`.
- Add a concurrency group to cancel in-progress runs on the same branch.
- Do NOT pin to `@v1` of any action — use the versions specified above.
- Do NOT store any secret value in the YAML file.


Stop and show the complete workflow YAML before writing the file.

Implementation Notes

  • oven-sh/setup-bun@v2 installs the Bun version from .bun-version or package.json#engines.bun if present — make sure one of those files exists or pin with bun-version: '1.x'.
  • --frozen-lockfile prevents the CI from silently upgrading deps; failing here means bun.lock is out of sync locally.
  • Cloudflare Pages with wrangler-action@v3 requires the project to exist in the Cloudflare dashboard first — document this prerequisite in a comment inside the YAML.
  • Concurrency: use group: ${{ github.workflow }}-${{ github.ref }} with cancel-in-progress: true.

Expected File Changes

.github/workflows/deploy.yml    (new)

Acceptance Criteria

  • A PR to main triggers only the ci job and posts a status check.
  • Merging to main triggers ci then deploy, in order.
  • No secrets appear in the YAML file.
  • A second push to the same branch cancels the previous in-progress run.

Test Commands

Terminal window
# validate YAML syntax locally
bun x @actions/validator .github/workflows/deploy.yml || true
# or use actionlint
docker run --rm -v "$(pwd):/repo" rhysd/actionlint:latest /repo/.github/workflows/deploy.yml

Common AI Mistakes

  • Hard-coding CLOUDFLARE_API_TOKEN value instead of using ${{ secrets.CLOUDFLARE_API_TOKEN }}.
  • Using deprecated actions/checkout@v2 or actions/cache@v2 instead of v4.
  • Running the deploy job on pull_request events, deploying from forks.
  • Missing needs: [ci] on the deploy job, allowing deploys even if tests fail.

Fix Prompt

Fix Prompt
The workflow deploys even when CI fails, or secrets are exposed. Fix in order:
1. Add `needs: [ci]` to the `deploy` job.
2. Add `if: github.event_name == 'push' && github.ref == 'refs/heads/main'` to the deploy job.
3. Replace any hard-coded token values with `${{ secrets.CLOUDFLARE_API_TOKEN }}`.
4. Upgrade any @v1/@v2 action references to the versions specified in the original prompt.
Show only the corrected YAML diff.
Tags: DeployNext.jsTypeScriptCloudflare

Related